Phoenix.pm: So, what are the merits of -T on CGI scripts?

EdelSys Consulting edelsys at edelsys.com
Thu Sep 2 18:44:54 CDT 1999


At 04:33 PM 09/02/1999 -0700, you wrote:
>
>\_ sub untaint
>\_ 
>\_ { my($taint)=@_;
>\_ 
>\_   my $untaint =  $taint;
>\_ 
>\_   $untaint    =~ s/\.\.//g;
>\_   $untaint    =~ s/\+/ /g;
>\_   $untaint    =~ s/\;//g;
>\_   $untaint    =~ s/\&//g
>\_   $untaint    =~ s/\|//g;
>\_   $untaint    =~ s/\>//g;
>\_   $untaint    =~ s/\<//g;
>\_   $untaint    =~ s/\?//g;
>\_   $untaint    =~ s/\*//g;
>\_   $untaint    =~ s/\]//g;
>\_   $untaint    =~ s/\[//g;
>\_   $untaint    =~ s/\'//g;
>\_   $untaint    =~ s/\"//g;
>\_   $untaint    =~ s/\,//g;
>\_ 
>\_   $untaint    =~ /^(.*)$/s;
>\_   $untaint    = $1;
>\_ 
>\_   return($untaint); }
>\_ 
>\_ These two lines
>\_ 
>\_   $untaint    =~ /^(.*)$/s;
>\_   $untaint    = $1;
>\_ 
>\_ are what actually remove the taint flag from
>\_ the variable.  The other lines are just removing
>\_ "questionable" characters (e.g. shell metacharacters)
>\_ from the variable.
>\_ 
>\_ Tony
>
>why not cast
>
>$untaint =~ s/\.\.|[]+;&|<>?*'",]//go;
>$untaint =~ /^(.*)$/s;
>$untaint = $1;
>
>and get them in one swell foop?  (YMMV on actual syntax....)
>
>Well, other than clarity; but that's what comments are for.  :-)
>
>David
>

Sure, you can do that if you want. =)

Tony




More information about the Phoenix-pm mailing list